This is the report from a security audit performed on iOWN Token by gorbunovperm.
iOWN Token is an ERC20 token for iOWN project based on Openzeppelin. It is intended work as a standard ERC-20 Utility token, to be traded on exchanges and used for payments on iOWN Platform when it is released.
The contract has minor functionalities added to satisfy requirements: like releasing token as ODR (on demand release balance: ODR will be released later on).
Commit hash: c559f9ee36f1da2b9fd520a0200ee43b95ac848c
- IownToken.sol
- CappedBurnableToken.sol
- Migrations.sol
- TokenTreasury.sol
- TransfererRole.sol
- UpgradeAgent.sol
- UpgradeableToken.sol
In total, 6 issues were reported including:
-
0 critical severity issue.
-
0 high severity issue.
-
3 medium severity issues.
-
3 low severity issues.
-
0 minor observations.
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
The contract owner allowed to pause functions of contract (transfer
, transferFrom
).
And the same with freezing mechanism.
The owners can implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to unaudited and insecure.
_upgradeReady
is false by default and there is no way to change this variable. In this case, it is not possible to use the contract upgrade.
There are two same checks
require(tokenAddress != address(0), "Invalid token owner address provided");
require(tokenAddress != address(0), "Invalid token address provided");
But no check of owner
address.
Upgrade should be possible only when the token is released. Otherwise, the totalSupply
of the old token and the new token may not match. Because validation only occurs for cap()
.
There are some vulnerabilities were discovered in these contracts.